azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth M365 security investigation - jantar@dataforth.com

Browse Source 
Darkweb scan follow-up: ran 10-point breach check on jantar@dataforth.com (no IOCs),
revoked eM Client OAuth grant and app role assignment, disabled eM Client SP tenant-wide.
Syncro ticket #109790034 created, billed 1hr prepaid, resolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-03 10:37:22 -07:00
parent bd3fac798e
commit 2e98f95c9f
2 changed files with 307 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
clients/dataforth/session-logs/2026-05-03-session.md Normal file
View File

@@ -0,0 +1,119 @@
# Session Log: 2026-05-03
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
## Session Summary
A request was made to perform an M365 remediation check on jantar@dataforth.com following a darkweb scan indicating her credentials had been breached on a third-party site. The tenant ID for dataforth.com was resolved to `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`. Graph and Exchange tokens were acquired using certificate authentication. A full 10-point M365 breach check was executed, revealing no indicators of compromise. One disabled graymail inbox rule was identified, but no mailbox forwarding, delegates, or suspicious permissions were found. All sign-ins originated from a consistent IP address in Salt Lake City, and SMS MFA was configured.
An eM Client application with high-privilege IMAP/EWS scopes was found connected to the user account. The client confirmed eM Client is no longer in use at Dataforth. The OAuth grant and app role assignment were revoked for jantar@dataforth.com. A tenant sweep confirmed no other users had the app connected. The eM Client service principal was then disabled tenant-wide to prevent future re-authorization.
A breach check report was saved to the client reports directory. A Syncro ticket was created, billed against Dataforth's prepaid block (1hr), and marked Resolved.
## Key Decisions
- Checked tenant-wide for other eM Client users before disabling the SP — confirmed jantar was the only connected user, making the tenant-wide disable clean with no user impact.
- Used `user-manager` tier for grant/role revocation (minimum necessary privilege) and escalated to `tenant-admin` only for the SP disable — kept to least-privilege throughout.
- Billed against Dataforth's prepaid block (47.5 hrs available) rather than standard remote rate — appropriate for a security task under their managed agreement.
- Contact set to Dan Center (IT admin) rather than Jacque Antar (end user) — ticket is an IT security action, not an end-user support request.
## Problems Encountered
- **IdentityRiskyUser scope not consented:** The Security Investigator app lacks `IdentityRiskyUser.Read.All` consent in the Dataforth tenant, causing a 403 on the risky user check. Risk detections came back 0 via an alternate endpoint. Not resolved this session — documented in the report with consent URL for follow-up.
- **Graph replication lag:** POST responses for grant/SP deletions returned stale data immediately after HTTP 204. Re-queried after 5-6 second delay each time; all changes verified confirmed.
- **eM Client SP not found by appId filter:** `GET /servicePrincipals?$filter=appId eq '...'` returned empty under both `investigator` and `tenant-admin` tiers. Resolved by querying the SP directly by its object ID (sourced from the `resourceId` field in the app role assignment).
---
## Breach Check: jantar@dataforth.com
**Trigger:** Darkweb scan report — credentials found in third-party breach
**User:** Jacque Antar | Object ID: `daa60027-be31-47a5-87af-d728499a9cc4`
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
**Verdict:** No indicators of compromise
| Check | Result |
|---|---|
| Account status | Enabled, pw changed 2026-03-09 |
| Inbox rules (Graph) | 1 — "Move Graymail to folder", disabled. Clean. |
| Hidden inbox rules (Exchange) | None |
| Mailbox forwarding | None |
| Mailbox delegates | None |
| SendAs | None |
| OAuth grants | Apple Internet Accounts (EAS) + eM Client (IMAP/EWS) — eM Client revoked |
| Auth methods | Password + Phone SMS (+1 520-245-6929). No authenticator app. |
| Sign-ins (30d) | 8 — all from 67.206.163.122, Salt Lake City US, Windows 10. No foreign logins. |
| Directory audits (30d) | 3 system updates + 2 group adds by dcenter@dataforth.com. Routine. |
| Identity risk | 403 (scope not consented) / 0 risk detections |
**Recommendations noted in report:**
- Upgrade MFA from SMS to Microsoft Authenticator
- Confirm "Dime Client" app is authorized (7/8 sign-ins)
- Consent IdentityRiskyUser scope for full risk signal visibility
---
## Remediation Actions
### 1. eM Client OAuth Grant Revoked (jantar@dataforth.com)
- **Grant ID:** `CBzbJaD1bE-73ac4aJsVh1kfp75Wee1Bj5lF8xxKY0InAKbaMb6lR4ev1yhJmpzE`
- **Scopes removed:** `IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid`
- **Tier:** `user-manager` | Result: HTTP 204 | Verified
### 2. eM Client App Role Assignment Revoked (jantar@dataforth.com)
- **Assignment ID:** `JwCm2jG-pUeHr9coSZqcxBZRSQMEXYFOsp2E7viR7Xo`
- **Tier:** `user-manager` | Result: HTTP 204 | Verified
### 3. eM Client Service Principal Disabled (tenant-wide)
- **SP Object ID:** `25db1c08-f5a0-4f6c-bbdd-a738689b1587`
- **SP appId:** `e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd`
- **Change:** `accountEnabled: true``accountEnabled: false`
- **Tier:** `tenant-admin` | Result: HTTP 204 | Verified `accountEnabled: false`
- **Scope:** Tenant-wide — no user in Dataforth tenant can authorize eM Client going forward
---
## Syncro Ticket
| Field | Value |
|---|---|
| Ticket # | **#109790034** |
| Subject | M365 Security Investigation - jantar@dataforth.com |
| Customer | Dataforth Corp (id: 578095) |
| Contact | Dan Center (id: 2774091) |
| Assigned | Mike Swanson (1735) |
| Issue Type | Security |
| Status | **Resolved** |
| Invoice # | **#1650179002** |
| Labor | Prepaid Project Labor (9269129), 1.0 hr @ $0.00 |
| Prepaid hrs | 47.5 → **46.5** hrs remaining |
---
## Files Created / Modified
| File | Action |
|---|---|
| `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md` | Created — full 10-point breach check report |
| `clients/dataforth/session-logs/2026-05-03-session.md` | Created — this file |
---
## Raw Artifacts
Breach check JSON artifacts at (local, not committed):
```
/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/
```
---
## Pending / Follow-Up
- [ ] Consent `IdentityRiskyUser.Read.All` scope in Dataforth tenant for full Identity Protection visibility
Consent URL: `https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent`
- [ ] Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
- [ ] Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)